1. You wrote:

File /etc/pam.d/system is included by /etc/pam.d/login. I cannot see a
difference.

There should not be any difference, but the frustrating point is - THERE IS DIFFERENCE! That's why I replied to that post at FreeBSD forums. A bug might be present either in PAM modules or in SSSD (I'm not a programmer, so can't determine where exactly).

2. Another moment:

BTW: You tested access with sshd, but file /etc/pam.d/system needn't be used
in /etc/pam.d/sshd which is used by sshd.

I was talking about local logins, not about SSH access:

"At the same time I cannot locally login to my FreeBSD host as either IPA
user or local user."

3. About changing passwords:

Unfortunatelly, it is not possible to change password for ldap (sssd) users
in FreeBSD. It is described in FreeBSD ldap client documentation (which uses
nss-pam-ldapd)
https://www.freebsd.org/doc/en/articles/ldap-auth/client.html#caveats

This really explains a lot, thanks for this link.
They write :"...most administrators are left to implement a solution themselves." As of now, my solution is to create a dummy Linux client just for changing passwords.


17-Oct-14 14:15, Lukas Slebodnik пишет:
On (17/10/14 12:27), Orkhan Gasimov wrote:
Replying to myself is great... Anyway, maybe this info will be useful for
people like me, trying to integrate FreeBSD with FreeIPA.

Solved some problems:

1. "SSH-ing as existing IPA user "rsiwal" to my FreeBSD client fails. The
same user can SSH or locally login to my Linux client. "

That happened because the shell specified for user "rsiwal" was /bin/bash.
After changing it to /bin/sh that problem disappeared.
It needn't be changed in LDAP(IPA). You can change(overrride) shell on client
side.
For details see:
     man sssd.conf -> override_shell

2. "At the same time I cannot locally login to my FreeBSD host as either IPA
user or local user."

I posted the cause and solution at FreeBSD forums:
https://forums.freebsd.org/threads/freebsd-freeipa-via-sssd.46526/

In post you wrote:
    The problem is in this string in the /etc/pam.d/system file:
    account required /usr/local/lib/pam_sss.so ignore_unknown_user
That string gives login errors, with or without ignore_unknown_user part.
    The only solution I found for now is to comment that string out and add it
    explicitly into /etc/pam.d/login file. Then local login process proceeds
    without errors.

File /etc/pam.d/system is included by /etc/pam.d/login. I cannot see a
difference.

BTW: You tested access with sshd, but file /etc/pam.d/system needn't be used
in /etc/pam.d/sshd which is used by sshd.

I would reccomend to have next line in /etc/pam.d/system and /etc/pam.d/sshd.
Without this line, access control will not work. (HBAC)
account required /usr/local/lib/pam_sss.so ignore_unknown_user 
ignore_authinfo_unavail


3. "If I create a new user in IPA, he can`t initially SSH into FreeBSD
client.
BSD says: "password expired", but doesn`t take new password.
The same new user can SSH into my Linux client.
Linux says: "password expired" and allows to set a new password with a
message: "All authentication tokens updated successfully."
After I set a new password for my newly created user via Linux, I can SSH
into my BSD client as that user.
Using this hack I can create new users in IPA, SSH into Linux to change their
passwords and then use those new users to SSH into FreeBSD."

Didn`t find a solution yet. But I think this is caused by lack of proper
configuration of Kerberos on my FreeBSD client. On my Linux client I found
such a configuration in /etc/krb5.conf file. However, there's no such file on
my FreeBSD client, as the post on FreeBSD forums didn't say anything about
such a file. I'll do some more checks and share the results here.
FreeIPA requires to change password for new users.
Unfortunatelly, it is not possible to change password for ldap (sssd) users
in FreeBSD. It is described in FreeBSD ldap client documentation (which uses
nss-pam-ldapd)
https://www.freebsd.org/doc/en/articles/ldap-auth/client.html#caveats

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to